Find the answer to your Linux question:
Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    SHV4, SHV5 Rootkit Installed


    A customer of mine called me today and told me he thought his Linux FC 2 system was hacked. His dedicated server provider informed him of DOS attacks originating from his machine going outbound to ports 53 and 6667 to varied IPs. Investigation revealed the server was compromised nearly two weeks ago. When I got on the box I ran top and ps, both of which gave me this odd output:

    Unknown HZ value! (75) Assume 100.

    Running rkhunter revealed that rootkits SHV4 and SHV5 had most likely been installed. Further investigation revealed the following files to have been modified or installed by the hacker:

    /lib/libsh.so/shrs
    /lib/libsh.so/shhk
    /lib/libsh.so/shhk.pub
    /sbin/ttymon
    /sbin/ttyload
    /sbin/ifconfig
    /usr/lib/libsh/.sniff/shp
    /usr/lib/libsh/.sniff/shsniff
    /usr/lib/libsh/.bashrc
    /usr/lib/libsh/shsb
    /usr/lib/libsh/hide
    /usr/sbin/lsof
    /usr/bin/pstree
    /usr/bin/find
    /usr/bin/top
    /usr/bin/dir
    /usr/bin/slocate
    /usr/bin/md5sum
    /bin/ps
    /bin/ls
    /bin/netstat
    /var/tmp/httpd

    The files cannot be removed in any way. I've even tried copying unlink from an unaffected host but with no luck.

    [root@XXXXXX]# ls -l /bin/ps
    -rwxr-xr-x 1 122 114 62920 Jan 27 2005 /bin/ps
    [root@XXXXXX]# /tmp/unlink /bin/ps
    /tmp/unlink: cannot unlink `/bin/ps': Operation not permitted
    [root@XXXXXX ]# chown root /bin/ps
    chown: changing ownership of `/bin/ps': Operation not permitted

    Adding a user to the system with UID 122 and trying to perform operations as that user avails nothing either. Perhaps someone here will know how to remove the files from the inode level. (We are going to re-image the server so we don't really need to delete the files, but as a Linux administrator it's very frustrating when you can delete a file as the root user). Or perhaps someone has had a similiar experience. Or perhaps the perpetrator will pick this up in a google search and get (in whatever weird, perverted way) the satisfaction he so desperately needs.

  2. #2
    Just Joined!
    Join Date
    Nov 2005
    Location
    EPA, California
    Posts
    1

    Looks like the attributes have be changed

    The command chattr can be used to change the fundamental attributes of the file. The attribut that has probably been set by the hacker is the immutable attribute, this will prevent the file from being deleted or moved.

    Check out the man pages on chattr

    This discussion group has a post describing how to scrub a system.
    http://www.derkeiler.com/Mailing-Lis...1-10/0078.html

    Personally, I would do what you are doing and just wipe the system clean.

    By the way, how did you determine when the initial intrusion took place?

  3. #3
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Personally, I would do what you are doing and just wipe the system clean.
    I will second that. And get the rebuilt system up to date - I am not sure how the FC releases work exactly, but don't they have a newer "stable" version than FC2 by now?

    You also might consider creating an image / backup of the compromised system. This will let you:
    * Study it to try to determine how the compromise occurred.
    * Determine whether important data may have been stolen or altered.
    * Maintain evidence for potentially pressing charges.

    If you do not back it up before wiping it clean you lose evidence and may or may not learn anything from the compromise.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,148
    -->
    I also support getting a new system up and running, but I would have to say if you need to modify these files try doing it with a live disc, where the system will be offline and you can work more easily.

    Probably better that you rebuild, though kudos on locating the modified files.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •